Computer networks are carrying an ever increasing number of traffic flows with diverse characteristics. In many cases, these characteristics are benign, such as the application associated with a particular traffic flow. In other cases, traffic flows can also exhibit malicious characteristics, such as flows associated with malware, data exfiltration, denial of service (DoS) attacks, etc.
Capturing traffic characteristics improves the functioning of the network by enabling network devices and network administrators to adjust the operations of the network dynamically. For example, a router or other networking device may leverage information about the application associated with a particular traffic flow, to prioritize communication of the flow (e.g., video conferencing traffic may be much more sensitive to jitter or delays than that of email traffic). In another example, a networking device may use the captured traffic information to detect, and often prevent, network attacks and other anomalies in the network. In both examples, classification is typically performed in real-time or in near real-time, allowing the network to adapt quickly to changes in the traffic flows and the traffic flow characteristics that are present in the network.
Network forensics and retrospective detection are techniques that can further enhance the assessment of captured traffic characteristics. In contrast to mechanisms that evaluate network traffic flows as they occur, forensics and retrospective detection techniques leverage historical information about the traffic flows. For example, one system may retroactively detect a subtle and previously unseen form of network attack that occurs over the course of time by analyzing historical traffic flow characteristics. However, it is unfeasible to retain all traffic data indefinitely due to system resource constraints.